Open Bug 1663645 Opened 4 years ago Updated 9 months ago

Assertion failure: mStreams[i].mCurrentPos == 0, at /builds/worker/checkouts/gecko/xpcom/io/nsMultiplexInputStream.cpp:758

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- affected
firefox82 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 --- wontfix

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.zip
3.31 KB, application/zip
Details
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev fb9c01b719fa (built with --enable-debug). Testcase must be served over HTTP.

Assertion failure: mStreams[i].mCurrentPos == 0, at /builds/worker/checkouts/gecko/xpcom/io/nsMultiplexInputStream.cpp:758

    #0 0x7ff93632fca3 in nsMultiplexInputStream::Tell(long*) /builds/worker/checkouts/gecko/xpcom/io/nsMultiplexInputStream.cpp:758:5
    #1 0x7ff936505092 in nsInputStreamPump::OnStateTransfer() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:559:13
    #2 0x7ff936504957 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:393:21
    #3 0x7ff93650578c in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp
    #4 0x7ff936317625 in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:397:13
    #5 0x7ff93631670c in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
    #6 0x7ff93639c894 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:299:14
    #7 0x7ff93639461f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #8 0x7ff936399fca in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #9 0x7ff936c93146 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
    #10 0x7ff936c04c13 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #11 0x7ff936c04b2d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #12 0x7ff936c04b2d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #13 0x7ff936390a91 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:442:10
    #14 0x7ff94a9ebabb in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #15 0x7ff94b07c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8
    #16 0x7ff94ac45102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200908095243-fb9c01b719fa.
The bug appears to have been introduced in the following build range:
> Start: e021e0294b0d4552816ad4741a92c37d8325f8a4 (20200604153014)
> End: 88fc15af7bbd93d506404f8d2bb5162bed8f54a0 (20200604153158)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e021e0294b0d4552816ad4741a92c37d8325f8a4&tochange=88fc15af7bbd93d506404f8d2bb5162bed8f54a0

It seems the problem is that an unavailable stream (the result of Available() is 0) was added into nsMultiplexInputStream at here.
The stream was created from a blob here and the size of the blob is also 0.
Therefore, I think the problem might be why we have an empty blob from form data. Changing component to DOM to get more insights.

Component: Networking → DOM: Core & HTML

:baku, since you are the author of the regressor, bug 1643156, could you take a look?
For more information, please visit auto_nag documentation.

Flags: needinfo?(amarchesini)

Set release status flags based on info from the regressing bug 1643156

status-firefox102: --- → affected
Severity: normal → S3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Unable to reproduce bug 1663645 using build mozilla-central 20220723091444-f69015bf0e0a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: